|Home » Industry Watch » The Technological
Cracking the Tube
And cracking lots of other cool things too.
Bart Jacobs at Radboud University in Nijmegen in the Netherlands tried hacking an access card to a building. It worked. So Jacobs and his team traveled to London to try it on the Underground. As the system - called 'MIFARE' and using so called 'Oyster Cards' - was the same.
Gee whiz it worked again.
They scanned a card reader to get the cryptographic key, uploaded to a laptop, then brushed up against passengers to wirelessly upload their own card information. And with all that information Bart Jacobs and his friends could easily make their own cards for free travel.
Cool. So far. Now for a few things that aren't as cool.
For it namely turns out the MIFARE chip used in those Oyster Cards is the same one used in thousands of secure locations. As for the cryptography? It's simply not fit for purpose, says Adam Laurie to the London Daily Telegraph.
The MIFARE Oyster Cards are used to gain access to government offices, hospitals, and schools in Britain.
The Dutch authorities learned of the breach in April; they responded by posting armed guards outside all their buildings. And it now looks like they'll have to spend millions to upgrade their systems. They'll be replacing 120,000 cards at a cost of about US$8 each.
There's no word yet MIFARE acknowledge selling a Really Stupid System™.
The Cabinet Office in Britain refuse to comment on the breach.
Telegraph: Oyster Card - Fears Over MIFARE Security